HIPAA compliance and filming in healthcare settings

Healthcare organizations and media professionals must work together to balance the public interest in healthcare storytelling with the right to patient privacy.

Understanding HIPAA's requirements

The Health Insurance Portability and Accountability Act (HIPAA) sets strict standards for protecting patient health information. When it comes to filming in healthcare settings, HIPAA's Privacy Rule is important. This federal law safeguards individually identifiable health information, including visual recordings that may reveal:

• Patient identity
• Medical conditions
• Treatments received
• Physical or mental health status
• Payment information

Required permissions and documentation

Hospital administration approval

Healthcare facilities must provide explicit permission for any filming on their premises. This typically involves:

• Detailed project proposals
• Filming schedules
• Location specifications
• Security protocols
• Insurance documentation
  
  

Patient authorization

Written consent from patients is mandatory before filming can include them. This authorization must:

• Be specific about how the footage will be used
• Detail who will have access to the recordings
• Specify the duration of permitted use
• Include an expiration date
• Be written in clear, understandable language
• Inform patients of their right to revoke consent

An HHS FAQ on PHI disclosures to film and media notes, “It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom an authorization was not obtained, because the [Health Insurance Portability and Accountability Act] Privacy Rule does not allow media access to the patients’ PHI, absent an authorization, in the first place.”  

Different rules for educational vs. commercial filming

Educational filming

Educational filming in healthcare settings has broader permissions under HIPAA when used for training medical professionals, students, or staff. Distinctions include:

• Limited audience exception: When footage is strictly for internal educational purposes among healthcare professionals, simplified authorization processes may apply.
• De-identification requirements: Educational content must still adhere to de-identification standards if shown beyond the immediate care team.
• Teaching hospital provisions: Academic medical centers often have established protocols specifically for educational recording with streamlined consent procedures.
• Medical conference use: Special considerations apply when patient cases are presented at medical conferences, requiring specific consent for this educational purpose.

According to a resource titled HIPAA Guidance on Photos, Video and Audio Recording in Clinical Areas published on the Yale University website, “Prior consent is recommended for recordings taken for either internal student/staff training or external presentations (such as at conferences, academic presentations, etc.), even if those recordings do not identify the patient or contain PHI (e.g., skin rash on the arm). Recordings of a patient that identify the patient or contain PHI require HIPAA authorization or de-identification before they can be used for academic purposes (such as at conferences, academic presentations, etc.) or for training of individuals not part of the institution’s workforce.”

Commercial filming

Commercial filming has more strict requirements:

• Authorization: Commercial projects require detailed patient authorizations specifying all potential commercial uses.
• Marketing distinctions: If the content will be used for marketing the healthcare facility, additional HIPAA marketing provisions apply.
• Compensation disclosure: Any remuneration to the healthcare facility must be disclosed to patients.
• Ongoing rights management: Commercial productions must address long-term rights management for any patient-identifiable content.

Legal distinctions between news reporting and entertainment/documentary filming

News reporting

The Association of Healthcare Journalists states that, “The Health Insurance Portability and Accountability Act includes privacy protections for patients that can be misunderstood and misapplied by health officials and health care organizations. In some instances, HIPAA has been improperly used to deny reporters’ requests for interviews with patients and clinicians or to obtain medical information. Reporters should be familiar with the law in order to understand when and to whom it applies.”

News organizations operate under different legal frameworks when covering healthcare stories:

• Public interest exception: Courts have recognized limited exceptions for news gathering in public interest cases.
• Emergency situation coverage: Different standards may apply during public health emergencies or disasters.
• Prior restraint protections: News organizations have constitutional protections against prior restraint, though these do not override HIPAA.
• Limited access provisions: HHS guidance allows news media in public areas of healthcare facilities without business associate agreements.
  
  

Documentary/entertainment

Documentary and entertainment productions face more restrictions:

• Business associate requirements: Must establish formal HIPAA business associate agreements.
• Prolonged presence considerations: Extended filming periods require more privacy infrastructures.
• Edit approval rights: Patients often retain rights to review and approve their portrayal.
  
  

Legal precedents

Several court cases have shaped these distinctions:

• A NYP Hospital case established that reality shows do not qualify for news exemptions.
• Court rulings have clarified that "public interest" alone does not override HIPAA protections.
• Recent federal guidance has emphasized that journalistic freedom must be balanced with patient privacy through appropriate technical and physical safeguards.

Best practices for compliant filming

Crews must carefully select dedicated locations that minimize patient exposure, avoiding high-traffic areas like waiting rooms where accidental recording could occur. Clear physical boundaries and visible signage help prevent unintended patient documentation.

Technical safeguards are equally crucial in protecting patient confidentiality. All recorded footage demands secure storage with robust encryption for digital files. Comprehensive logging systems and clear protocols for footage review and deletion ensure that sensitive information remains protected throughout the production process.

Every team member must undergo thorough HIPAA training, with a dedicated compliance officer monitoring filming activities. Identification badges are mandatory, and rigorous screening of both personnel and equipment helps prevent potential privacy breaches. 

According to the Department of Health and Human Services, “The HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public, which may include public waiting areas or areas where the public enters or exits the facility.”

Furthermore, “If patients are to be identified by the provider and interviewed by a film crew, or if PHI might be accessible during filming or otherwise disclosed, the provider must enter into a HIPAA business associate agreement with the film crew acting as a business associate.  Among other requirements, the business associate agreement must ensure that the film crew will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed.  See 45 C.F.R. 164.504(e)(2).  As a business associate, the film crew must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI.  In addition, authorizations from patients whose PHI is included in any materials would be required before such materials are posted online, printed in brochures for the public, or otherwise publicly disseminated.”

International considerations for global healthcare footage distribution

When healthcare filming crosses international borders, compliance becomes more complex:

• GDPR and healthcare filming: European Union's General Data Protection Regulation imposes additional requirements beyond HIPAA, including the "right to be forgotten" for patients who later withdraw consent.
• Data sovereignty: Many countries restrict the transfer of health data across borders, requiring separate authorizations for international distribution.
• Cultural sensitivity: Privacy expectations differ globally, with some cultures requiring more stringent anonymization than others.
• Translation requirements: Consent documents must be translated into patients' native languages with certified accuracy.
• Footage storage jurisdiction: Legal requirements about where footage containing health information can be stored vary by country.

Common pitfalls to avoid

Incidental disclosure represents a risk in healthcare filming. Even background footage can violate HIPAA privacy protections by capturing sensitive patient information. This includes details like patient names visible on charts or doors, computer screens displaying health information, overheard conversations about patient care, or medical records and prescriptions within camera range. Such incidental captures can quickly transform a well-intentioned filming project into a serious privacy breach.

Case Study: New York-Presbyterian Hospital's unauthorized filming incident

Background

In 2016, New York-Presbyterian Hospital (NYP) faced penalties for allowing a television film crew to record footage within its facilities without obtaining prior authorization from patients. This filming was intended for the ABC series "NY Med." The Office for Civil Rights (OCR) investigated the incident and found that the hospital had compromised patients' privacy rights, leading to a substantial settlement. 

Compliance Breach

The OCR identified several issues in NYP's approach:

• Lack of patient authorization: Patients were filmed without their explicit consent, violating HIPAA's requirement for prior authorization before disclosing Protected Health Information (PHI) to third parties.
• Inadequate Safeguards: The hospital failed to implement appropriate measures to protect patient privacy during the filming process, resulting in unauthorized exposure of PHI.
  
  

Consequences

As a result of these violations, NYP agreed to a settlement that included:

• Monetary penalty: A payment of $2.2 million to resolve potential HIPAA violations.
• Corrective action plan: Implementation of a comprehensive plan to address the deficiencies, including staff training and policy revisions to prevent future occurrences.
  
  

Lessons learned

This case shows the importance of adhering to HIPAA regulations during any media-related activities within healthcare settings. Key takeaways include:

• Obtain explicit consent: Always secure written authorization from patients before involving them in any filming or media projects.
• Implement safeguards: Appropriate measures must be in place to protect PHI during media activities, such as restricting access to filming areas and monitoring the use of recording equipment.
• Conduct staff training: Educate staff on HIPAA requirements and the importance of maintaining patient confidentiality, especially concerning media engagements.

FAQs

Can media crews freely enter any area of a healthcare facility? 

According to the HHS, media can enter public areas generally accessible to the public, like waiting rooms or entry/exit areas. However, accessing patient care areas or recording patients requires explicit authorization and patient consent.

What happens if a film crew accidentally captures patient information? 

Incidental capture of patient health information (PHI) can constitute a HIPAA violation. Even background details like names on charts, computer screens, or overheard conversations can breach patient privacy.

Do film crews need special agreements to work in healthcare settings? 

Yes. If patient identification or PHI might be disclosed, healthcare providers must establish a HIPAA business associate agreement with the film crew. 

Can security cameras in hospitals capture patient interactions without violating HIPAA?

Yes, as long as they are used for legitimate security purposes and do not improperly disclose patient health information.

Are healthcare workers allowed to record patients for internal documentation?

Yes, but only when necessary for treatment or operations and in compliance with HIPAA's minimum necessary rule.